27 August 2011

The Mid-Atlantic of the United States is experiencing the Operational Risks associated with two natural disasters within the span of one week. Virginia has been a bulls eye with an earthquake and a major hurricane.

RICHMOND, Va. — Virginia Gov. Bob. McDonnell has declared a state of emergency for areas affected by Tuesday’s earthquake that shook people from Georgia to Canada.

McDonnell said Friday in a news release that damage from the 5.8 magnitude earthquake appears to be greater than initial reports. He says the damage has been exacerbated by aftershocks.

McDonnell also says damaged structures could be weakened further by high winds from Hurricane Irene, which is approaching the East Coast.

RICHMOND, Va., Aug. 25, 2011 /PRNewswire/ -- With Hurricane Irene approaching, Dominion Virginia Power and Dominion North Carolina Power are readying repair crews and preparing equipment for emergency restoration work over the next several days. The company is asking its customers, especially those in coastal areas, to take steps to brace for the storm.

"This storm has serious potential to cause widespread damage," said Rodney Blevins, vice president-Distribution Operations for Dominion Virginia Power and Dominion North Carolina Power. "We are geared up to handle any situation as quickly and safely as possible. We are treating Hurricane Irene seriously, and we urge our customers to monitor local weather forecasts for changing conditions in order to remain safe."

The Continuity of Operations Plans (COOP) and Business Continuity Plans (BCP) for the governments and businesses are in full force and it all began without notice. The 5.8 quake shook Washington, DC and many at the Pentagon were having deja vu moments from that morning on 9/11. What was that? How could it be an earthquake?

Soon there after, people began streaming out of buildings, into the metro stations or jumped in their cars to try and get out of the city. All the while on their Blackberry or PDA cell phones. One seemed to be working better than the other. BBM was not interrupted.

Hurricane Irene is still approaching the Washington, DC area at this moment, so we don't know the total impact yet. However, if your business runs on IT systems and most do, hopefully you have already been exercising your contingency plans. It could be days for some areas to have power fully restored.

The business resilience factor is something that can not be under estimated in these times of greater natural disasters and other increasing interruptions to business operations. The professionals associated with keeping your business running and the systems online should be several doors down from the CEO. Think about it. Where do you have the person(s) located who are responsible for the lifeblood and health of your enterprise? Far too often we find that the business leadership is still more than shouting range away from those they rely on to keep the operations running and the organization safe. How is that working for you?

The American Red Cross has a new site that may be more for the small to medium enterprise (SME), but that makes up the majority of businesses in the United States. It is worth a look to help you get your SME in ready for the next earthquake or hurricane:

The American Red Cross Ready Rating™ program is a free, self-paced program designed to help businesses, organizations and schools become better prepared for emergencies. When you join and become a member, you'll complete a 123-point self assessment of your level of preparedness, gain access to tips and best practices information, and commit to improving your score each year to maintain membership.

Members complete a 123-point self assessment of their level of preparedness, gain access to tips and best practices, and commit to improving their score each year to maintain membership. The 123 Assessment has been aligned with the federal government's private sector preparedness standards (PS-Prep).

If you are a business that wants to stay in business, these questions and assessment could save you from business failure. It determines your emergency preparedness efforts in terms of commitment, knowledge of hazard vulnerability, emergency planning, plan implementation and community resiliency. 40% of businesses never reopen after a disaster.

How quickly your company can get back to business after a terrorist attack, a tornado, a fire, or a flood often depends on emergency planning done today. While the Department of Homeland Security is working hard to prevent terrorist attacks, the lessons of the 1993 World Trade Center bombing, the 1995 Oklahoma City bombing and the September 11, 2001 terrorist attacks demonstrate the importance of being prepared.

When you also consider that the number of declared major disasters nearly doubled in the 1990's compared to the previous decade, preparedness becomes an even more critical issue. Though each situation is unique, any organization can be better prepared if it plans carefully, puts emergency procedures in place, and practices for emergencies of all kinds.

And when your organization has had a near miss, not out of business but severely impacted, then it is time to even move up to "The Standard on Disaster/Emergency Management and Business Continuity Programs - NFPA 1600.

• behaviors, at-risk conditions, and other precursors that can lead to incidents are recorded, analyzed, and addressed

The BP Macondo incident has brought to light several areas that will be more highly scrutinized by federal oversight going forward in the Energy Sector. It is inevitable that those companies operating with deep drilling operations will continue to focus on their decades of experience on a management system that instills both safety and security. This will not be enough however in these desperate times with so many new threats and hazards, in the search for new oil reserves hundreds of miles off shore.

In the U.S., the Workplace Safety Rule was published in the Federal Register on October 15, 2010 to incorporate lessons that have been learned from the Deepwater Horizon disaster. Under the rule, there are four relevant areas that are now covered that the previous regulation did not:

Hazard Analysis

Management of Change

Operating Procedures

Mechanical Integrity

We would like to emphasize "Management of Change" and the human factors that are a major challenge to regulate. All operators under U.S. regulation with the enactment of the Drilling Safety Rule and the Workplace Safety Rule, are now required to identify and document potential risks. This will directly impact the accountability for risk assessment and mitigation. These new prescriptive rules for deepwater drilling, directly impact those operators to implement a Safety and Environmental Management System (SEMS) per the law.

Now back to "Management of Change." Change Management is an Operational Risk that has been a continuous challenge. The exception is exemplified by those organizations that have dedicated themselves to a continuous Plan-Do-Check-Act (PDCA) life cycle, inherent to their corporate culture. What are some of the tools and standards that can be implemented in your management system that can assist you in getting to the next level?

Emergencies, crises and disasters like the tsunami in Japan or the recent riots in London, can happen at any time. Organizations around the world are increasingly implementing risk management processes to deal with uncertainty and ensure continuity. But if their suppliers are unable to deliver, or customers unable to purchase, the ability of an organization to achieve its objectives would be compromised. Security management systems for the supply chain to promote resilience at every step of the supply chain, ISO has developed a new standard, ISO 28002:2011, Security management system for the supply chain – Development of resilience in the supply chain.

This International Standard will not only incorporate the PDCA model for quality assurance and change management but also the security of the supply chain. Another area of concern for regulators going forward will be the number of contractors and sub-contractors relationships. A set of global international standards such as ISO 28000 series or ISO 31000 is the correct path for the operator and private sector organization to demonstrate to the U.S. regulators that they are already in the process of managing change effectively in their organization.

Operational Risk Management in the Energy Sector will remain a high priority for the simple fact that it is square one for being a good custodian of the environment and to perpetuate a safe and secure workplace for employees and contractors.

ISO 28002 can be applied to any organization including private, not-for-profit, non governmental, and public sector. Implemented within a management system, the standard enhances an organization’s capacity to manage and survive any disruptive event and take appropriate actions to help ensure its viability and continued operation.

Achieving a continuous change management framework that the regulators will recognize as global best practice and that is monitored consistently, is a prudent strategy for all the members of the Marine Well Containment Company (MWCC). We can only hope, that those who have not yet embarked on this important mission, will be doing so before they take on that next unexplored frontier beyond 5,000 feet below the surface of the ocean.

WASHINGTON — Washington announced on Friday (August 19th, 2011) it would resume the sale of offshore drilling licenses in the Gulf of Mexico, where the BP disaster 16 months ago unleashed the worst maritime oil spill in history.

14 August 2011

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:

57% - Unintentional exposure of private or sensitive data

37% - Virus, worms or other malicious code

32% - Theft of intellectual property

When asked which electronic crimes were most costly or damaging the results were:

38% - Outsiders

33% - Insiders

29% - Unknown

Regarding the "Insiders" reasons were given for not referring for legal action the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.

So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.

Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders." In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors. Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session. Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company. This top down process for injecting the situational awareness of Operational Risks, Insider e-crimes and Corporate Integrity is sure to flush out those who are the current suspects and others who will flee the company.

"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?"

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

06 August 2011

Senior executives continue to wonder why they are continually surprised by certain incidents or events that take place within their enterprise. Operational Risk exposure is hard to manage, without a robust risk management system that is constantly monitoring the business environment you operate in and the people that work within that environment.

If you asked any CEO of a Fortune 500 company about their current financial condition or market position they would be able to answer with confidence and with valid facts and figures to support the statements. Yet if you were to ask the same CEO, about their current exposure to Operational Risks, you may get a "Deer in the Headlights" look followed by less than confident facts about their proactive, preventive or defensive strategies to address:

Governance, Regulatory and Compliance (GRC)

Employee Ethics, Malfeasance, Fraud and Corruption

Continuity of Business Systems Operations

Supply Chain Resilience

Litigation and Class Action Suits

Yet Operational Risks erode the corporate earnings and impact the reputation of the enterprise in the marketplace. The Board of Directors are charged with understanding Operational Risks and how these are being addressed in concert with the organizations strategies for growth or mergers and acquisitions. They are continually asking for more effective risk management systems from the organization and the CEO should be well versed in what, where, who and why they are addressing the threats and the likelihood of these events taking place.

The point is, as the CEO you have no idea when the next significant business disruption is going to take place that impacts the organization. Therefore, the CEO and the enterprise must accept the fact that these Operational Risk events are going to occur, and when they do, the CEO must know what to do immediately and who to assist them with the incident before them.

So if this is the case, that you as a senior corporate leader agree that you can't ever know where or when the next threat is going to take place, then the question presents itself, what are you and the enterprise doing "Today" to mitigate the threat or prepare for the response? You see, every day is a training day and if the organization is not testing itself in some place or some way, the next incident that presents itself could be the final blow. The event that brings the entire enterprise to it's knees or the failure that changes the entire world's perception of who you are and what you represent.

With the stakes that high, wouldn't you want to know what people in the organization are doing each day to manage risks in their business unit, department and section? What are the contingency plans and when was the last time they were exercised? Is once a year enough, based upon the speed of change in your business environment? Maybe not.

Are you Indispensable? To your employees, your shareholders, your customers? The fact is that you and your organization are not as ready as you could be and you are not as indispensable as you want to be. There are plenty of examples out there on the planet however, that make sense to model or examine and to learn from based upon the way they behave in the marketplace and the value they bring from being so consistent, reputable and resilient to all that the risk environment can throw at them. They are not perfect, but maybe close:

Of the top 25 industrial corporations in the United States in 1900, only two remained on that list at the start of the 1960s. And of the top 25 companies on the Fortune 500 in 1961, only six remain there today. Some of the leaders of those companies that vanished were dealt a hand of bad luck. Others made poor choices. But the demise of most came about because they were unable simultaneously to manage their business of the day and to build their business of tomorrow. As you read this, IBM begins its 101st year. Today we take a moment to step back and view the longer arc of history. We’d like to share some of what we have learned—sometimes in humbling ways—on our journey so far. A century of corporate life has taught us this truth: To make an enduring impact over the long term, you have to manage for the long term.

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke